Understanding The DAO Attack

David Siegel is a blockchain strategist and speaker, founder of Kryptodesign.com and curator of DecentralStation.com, a place to learn about blockchain.

In this piece, Siegal attempts to help journalists understand what happened when The DAO collapsed and why he believes it’s important for the press to get the story right.

The article will be updated on Medium as the situation develops. Disclaimer: Siegal owns a small number of DAO tokens.

The basics

The ethereum network is a network of computers all running the ethereum blockchain. The blockchain allows people to exchange tokens of value, called ether, which is currently the second most popular cryptocurrency behind bitcoin. ethereum also allows people to write and put on the network smart contracts – general-purpose code that executes on every computer in the network (currently over 6,000 computers). People then execute these programs by sending ether to them.

A DAO is a Decentralized Autonomous Organization. Its goal is to codify the rules and decisionmaking apparatus of an organization, eliminating the need for documents and people in governing, creating a structure with decentralized control.

Here’s how it works:

A group of people writes the smart contracts (programs) that will run the organization

There is an initial funding period, in which people add funds to the DAO by purchasing tokens that represent ownership – this is called a crowdsale, or an initial coin offering (ICO) – to give it the resources it needs.

When the funding period is over, the DAO begins to operate.

People then can make proposals to the DAO on how to spend the money, and the members who have bought in can vote to approve these proposals.

It’s important to understand that great care has been taken not to make these tokens into equity shares – they are more like contributions that give people voting rights but not ownership. In most cases, a DAO is not owned by anyone – it’s just software running on the ethereum network.

The very first DAO is bitcoin itself, which is governed by consensus among its core team and its mining network. All other DAOs have been launched on the ethereum platform.

“The DAO” is the name of a particular DAO, conceived of and programmed by the team behind German startup Slock.it – a company building “smart locks” that let people share their things (cars, boats, apartments) in a decentralized version of Airbnb.

The DAO launched on 30th April, 2016, with a 28-day funding window.

For whatever reason, The DAO was popular, raising over $100m by 15th May, and by the end of the funding period, The DAO was the largest crowdfunding in history, having raised over $150m from more than 11,000 enthusiastic members. The DAO raised far more money than its creators expected.

It can be said that the marketing was better than the execution, for during the crowdsale, several people expressed concerns that the code was vulnerable to attack.

Once the crowdsale was over, there was much discussion of first addressing the vulnerabilities before starting to fund proposals. In particular, Stephan Tual, one of The DAO’s creators, announced on 12th June that a “recursive call bug” had been found in the software but that “no DAO funds [were] at risk”.

At the time, more than 50 project proposals were waiting for The DAO’s token holders to vote on them.

It’s important to reiterate that the ethereum network has no such bugs and has been working perfectly the entire time. All networked systems are vulnerable to various kinds of attacks. The ethereum network, which supports (depending on the price) around $1bn worth of ether, has not been hacked and is continuously executing many other smart contracts.

Everyone who writes a smart contract knows that if it can move a large amount of cash it will be subject to attack. This particular vulnerability was discovered recently in another system, called Maker DAO, and was neutralized quickly because that DAO was still in testing.

Many people feel that testing and certifying smart contracts will be an important part of keeping the ethereum ecosystem safe. You’ll find several smart-contract validation services listed at DecentralStation.com.

The Hack

Unfortunately, while programmers were working on fixing this and other problems, an unknown attacker began using this approach to start draining The DAO of ether collected from the sale of its tokens.

By Saturday, 18th June, the attacker managed to drain more than 3.6m ether into a “child DAO” that has the same structure as The DAO. The price of ether dropped from over $20 to under $13.

Several people made attempts to split The DAO to prevent more ether from being taken, but they couldn’t get the votes necessary in such a short time. Because the designers didn’t expect this much money, all the ether was in a single address (bad idea), and we believe the attacker stopped voluntarily after hearing about the fork proposal (see below). In fact, that attack, or another similar one, could continue at any time.

Smart contracts are meant to be stand-alone agreements – not subject to interpretation by outside entities or jurisdictions. The code itself is meant to be the ultimate arbiter of “the deal” it represents. But of course, that’s an idealist (crypto-anarchist) perspective.

Even before the attack, several lawyers raised concerns that The DAO overstepped its crowdfunding mandate and ran afoul of securities laws in several countries. Lawyers also pointed to its creators as potentially liable for any problems that may occur, and several expressed concern that token holders of The DAO were accepting responsibility they were likely unaware of. The DAO exists in a gray area of law and regulation.

Because the child DAO has the same structure, limitations, and vulnerabilities as the parent DAO, the ether in this newly created child DAO can’t be accessed for 28 days, as that is the initial funding period.

Everyone can see the ether in this child DAO – any attempts to cash it in will trigger alarms and investigations. It could be that the attacker will never get to cash or spend a single ether of it.

It’s entirely possible that the attacker had a large short position on ether at the time of the attack, which he or she then cashed out after ether had been cut roughly in half. The attacker may already have made his money, regardless of the ether sitting in the child DAO.

There are things the Ethereum Foundation could do that may be able to nullify the ether in this DAO. That’s where things get complicated.

The Soft-Fork Proposal

The DAO contains roughly 15% of all ether, so a failure of The DAO has a negative impact on the ethereum network and its cryptocurrency.

It’s worth noting that dozens of startups are working on DAO or governance products, many smart contracts have similar vulnerabilities and building complex software using smart contracts is still in its infancy. Everyone involved has a stake in what happens next.

All eyes are on The DAO and the Ethereum Foundation, hoping for a resolution that allows the ecosystem to continue to develop as it was before.

To understand what happens next, you will need to understand blockchain basics: A network of nodes puts transactions into blocks and blocks into a single chain that represents the “truth” of what has happened. If two competing transactions happen at about the same time, the network resolves this conflict by choosing one and rejecting the other, so all nodes have the exact same copy of the distributed ledger.

The only way to “rewrite history” would be to have at least 51% of all nodes agree to such a collusion – something that has never happened in the history of bitcoin or ethereum. The goal of a decentralized network is that no one has the power to do that, or the network itself becomes untrustworthy.

On 17th June, Vitalik Buterin of the Ethereum Foundation issued a critical update, saying that the DAO was under attack and that he had worked out a solution:

A software fork has been proposed, (with NO ROLLBACK; no transactions or blocks will be “reversed”) which will make any transactions that make any calls/callcodes/delegatecalls that reduce the balance of an account with code hash0x7278d050619a624f84f51987149ddb439cdaadfba5966f7cfaea7ad44340a4ba (ie. the DAO and children) lead to the transaction (not just the call, the transaction) being invalid …

In this, Buterin specifically states that he isn’t proposing to rewrite any blocks, but just to install a “switch” in the basic ethereum code that prevents moving any ether out of the DAO or its children.

Effectively, this is a one-time fix (called a “fork”) for a one-time event that seals those ether into that address for all time.

Buterin continued:

“Miners and mining pools should resume allowing transactions as normal, wait for the soft fork code and stand ready to download and run it if they agree with this path forward for the Ethereum ecosystem. DAO token holders and ethereum users should sit tight and remain calm. Exchanges should feel safe in resuming trading ETH.”

In other words, a blacklist will be built into the ethereum code to keep the bad guy from claiming his prize. In this “freezing of assets” scenario, Buterin calls for a discussion of how to help DAO token holders recover their initial investment.

This seemingly innocuous and well-meaning “Deus ex machina” proposal – which must still be adopted by a majority of ethereum network nodes to take effect – has opened a huge can of worms.

The Attacker Responds — or Does He?

I will call the attacker a lone male, even though I have no idea if he is one.

What happened next was interesting. In an open letter to The DAO and ethereum Community, the attacker supposedly claimed that his “reward” was legal and threatened to take legal action against anyone who tried to invalidate his work. Several people pointed out that the cryptographic signature in this message wasn’t valid – it could be fake.

But it’s well written, and from a certain point of view, well reasoned: The premise of smart contracts is that they are their own arbiters and that nothing outside the code can “change the rules” of the transaction.

Later, through an intermediary, the attacker claimed that he would put a stop to the organized “theft” of his property by rewarding miners (nodes) who don’t go along with the proposed soft fork, saying:

“[S]oon we will have a smart contract to reward miners who oppose the soft fork and mines the transaction. 1m ETH + 100 BTC will be shared with miners.”

This is clearly a complex dynamic system.

These messages from “the attacker””cannot be verified, so we’ll have to wait and see what happens.

The Hard-Fork Proposal

Another proposal is more aggressive – to ask the miners to completely unwind the theft and return all ether to The DAO, where it can be redeemed by token holders automatically, thereby ending The DAO.

“By 4pm local time, the consensus was that should a soft fork be deployed within 27 days, the attacker would not be able to retrieve the funds he had stashed into a child DAO.

A subsequent hard fork could even return all ether, including the DAO’s ‘extraBalance’ and the stolen funds, back into a smart contract. That smart contract would contain a single function: withdraw().

This would make it possible for everyone who participated in the DAO to withdraw their funds: thanks to the support of the miners, and because nothing had been spent so far, nothing would be lost.”

This has the effect of rewriting the rules by which the blockchain executes, which is supposed to be impossible. Should we let that rule slide just this one time, to put the ethereum project back on track?

The Slock.it guys and most DAO tokenholders would be grateful if we did.

Responses to the soft fork

Seen on its own, the proposal is reasonable. It’s a one-time fix to a one-time problem. But many people don’t see it that way.

“The involvement of the ethereum foundation in the DAO has been and is a mistake. As I see it ethereum is supposed to be the foundational infrastructure upon which a flurry of projects and experiments are supposed to blossom, and in order for them to blossom they need a foundation that is strong, and that has integrity in the face of challenges. The hard fork proposal is a compromise that ruins that integrity and signals that projects like the DAO can influence the underlying foundation to their own advantage. To me that is totally unacceptable and is a departure from the principles that drew me to ethereum.”

The hard fork is a valid option, but it should be kept for situations which require emergency modifications of the ethereum protocol itself, and not for projects that run on it.

The fact that the Ethereum Foundation has been involved in and promoted The DAO project has been an error and it only usurps the trust that people have in ethereum as a foundational infrastructure for other projects.

I hope they will correct this error.

Another one chimed in:

“I made a bad contract in the first days ETH was online and lost 2K ETH with it, can I also get it back? Thanks!”

And finally:

“Ethereum worked exactly as intended. I don’t believe software should be updated when it works exactly as intended. You assume the risks of your investment. If you don’t understand your investment, you assume unknown risk. Anything else is a bailout by a central authority, i.e. the antithesis of the crypto world. In a related way, this is why Lehman Brothers was allowed to fail – because the deal is the deal, and if you bend the rules for a particular player, all other players will want special treatment, too.”

Too Big to Fail

Just a month after Lehman Brothers, other banks did get special treatment, and you can decide for yourself whether that was a good idea – it’s quite analogous to the situation at hand. The DAO is not an island.

It is considered “too big to fail” from the point of view of the ethereum ecosystem. It may be noted that several people from the Ethereum Foundation are DAO token holders and also have advisory positions in The DAO. Even Gavin Wood, one of the original ethereum founders, supported the fork in a blog post.

In this view, then, it’s possible that some other large projects could need to be rescued and the Ethereum Foundation, having set a precedent once, may once again ask miners to rewrite history.

The analogy to the bank bailouts is remarkable: banks were able to take huge risks hoping for huge returns, and when those trades went south, the taxpayers bailed them out (except for poor Lehman Brothers). This risk asymmetry is generally thought of as a bad way to incentivize market participants.

Those are the two extremes, but most people fall into one or the other. The long arm of the law, not to mention the tax man

The above discussion assumes we are operating in a vacuum, in crypto-anarchy space, where laws don’t apply. But people have invested real money and real laws can and will apply to this case.

In fact, all parties here may have legitimate claims that could take years to settle out in courts around the world.

Who’s at risk?

Even though they took great care to not create securities and make sure people were aware of the risks, they still may be held liable. If the DAO token holders lose most of their $150m+ investment, a class-action suit against the originators seems likely.

Other DAOs

Some people have taken The DAO smart contract word for word to implement other DAOs. In the case of a hard fork, all of the ether in any DAO that uses The DAO’s 1.0 smart contracts will forfeit their ether into a refund address, to be divided among DAO token holders. Thus, DAO token holders could end up getting more than they put in. This is sure to anger those who have put their own money into their own DAOs using The DAO 1.0 code.

DAO tokenholders

As investors, and without the protection of a corporation, all 11,000+ DAO token holders may be seen as general partners in the fund. In that case, the attacker can sue individual DAO token holders in their own home jurisdictions, claiming that they represent the entity that seized his rightful property.

The Exchanges

Not long after the initial funding period, several cryptocurrency exchanges began making markets in DAO tokens.

As part of the chain, anyone who bought DAO tokens from any exchange may sue the exchange for selling flawed investments. This could go very deep – to the level of securities law violations, or they could simply be liable for the profit they made on the tokens.

Given that several exchanges have plenty of cash, they could be among the first targets.

The Ethereum Foundation

The Ethereum Foundation has a lot at stake here. They want the network to be rock solid, to support billions of dollars worth of commerce, and to be “the operating system of the future”.

But now they are between a rock and a hard place: if they do nothing, the ethereum network suffers a setback that could take years to recover from; if they intervene, they set a dangerous precedent that erodes the social contract they set up with their network of independent nodes.

They didn’t design the ethereum network to be the judge and jury in case one or more parties are injured.

Miners and nodes

The 6,000+ full ethereum nodes may be liable for any forks they vote for.

If the attacker can be seen as having acquired his ether as a result of a “feature” of a smart contract, then he may (and has already threatened to) sue any of the miners that try to take what he feels is rightfully his away from him. He could also sue the Ethereum Foundation if they write the software that implements the fork.

On the other hand, DAO token holders could sue nodes that don’t vote for the fork, claiming that they aren’t doing the right thing. On the other hand, people running nodes like money, and they may get money from “the attacker” not to fork. It’s entirely possible that governments will step in here and try to make big changes in the governance of the Ethereum system.

The attacker

The attacker may already have made a substantial sum via market manipulation – this is illegal in many jurisdictions. He also may have a huge tax liability. There is obviously a tremendous incentive for the community to learn his identity and “out” him.

There is probably enough information out there for people to figure out who he is – it may just be a matter of time before they do.

The Aftermath

It seems at this point that The DAO will die, and that DAO token holders will get somewhere between 0% and 100% of their ether back.

It’s safe to say that the Slock.it guys have their hands full for a while, they may not get their project funded (I’m told they put quite a bit of their own money into The DAO), and they may be talking with lawyers for months.

The DAO is still subject to another similar attack.

Vitalik can propose an ethereum-based solution, but the nodes must decide. It’s not clear which of these paths the nodes will take. Many people say that “doing nothing is perhaps the worst option”. It depends which side of various fences you’re on. There are slippery slopes everywhere.

There’s another wrinkle: The Ethereum Foundation is on track to switch to a new consensus mechanism called “proof of stake”, and in that scenario, anyone who owns 14% of all ether will have tremendous control over the future blockchain.

In fact, Vitalik has asked for projects to have a limit of $10m or so, to help contain the magnitude of unintended errors.

It’s also very likely that there will be lawsuits. We could see a total mess, with lawsuits extending for many years. Or we could see a fairly neat and tidy ending, ethereum goes on and “the attacker” never surfaces again.

Though I would bet 5 ether that the attacker will be found within a month or two. Even though the letter and the spirit of smart contracts is that “smart contracts rule,” and the rule of law doesn’t apply – in this case, most people would like to see a do-over. I’m guessing we will see various rules of law apply.

I have tried to stick with the facts, and now I will offer one simple opinion: This situation will resolve itself well if the attacker will simply buy a bunch of ether, then agree to work with The DAO people to return the money to all tokenholders and dissolve The DAO completely.

The attacker will have made some money, made his point, no lawyers will be involved, we will all have learned a hard lesson, and the Ethereum Foundation can start planning for a safer, more resilient future.

Summary

I believe we can say that this event marks the beginning of a new era of ethereum’s public blockchain.

While the agile approach of “ready, fire, aim” generally works best with new software, it can be dangerous when $150m gets loaded into the chamber.

Ethereum was billed as a general-purpose computer and the harbinger of a new decentralized model for computing and for society. We will see, a bit sooner than we may have wanted, how all this plays out in the real world.

The leader in blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.